Peter Schober peter.schober at
Tue May 7 14:07:33 EDT 2019

* Robert Lamothe <robert_lamothe at> [2019-05-07 19:58]:
> Ok, how about this?
> <resolver:DataConnector xsi:type="dc:ComputedId"
>     id="computedID"
>     generatedAttributeID="computedID"
>     sourceAttributeID="sAMAccountName"
>     salt="<salt value removed for security purposes">
>     <resolver:Dependency ref="myLDAP" />
> </resolver:DataConnector>

That's perfect. And it means something else must be going on here (as
many here suspected, I guess) as the above says the generated ePTID
would only change if the value of the subject's 'sAMAccountName'
attribute changed (or the salt changed, but that's global for the
whole IDP and so would affect all values for all subjects).

So the only thing left to exclude here is the possiblity that
sAMAccountName values change when people have to change their
password. Which is very unlikely unless you're making highly original
use of that attribute.

Once that's settled you're left with a mystery: Your configuration
does not explain the behaviour you describe.
(Which could mean it's not the active configuration of your production
service, or yet something else I can't imagine right now.)


More information about the users mailing list